VPNFilter malware affects even more devices, delivers exploits to endpoints

News by Bradley Barth

The VPNFilter malware that was discovered infecting hundreds of thousands of routers and Network Attached Storage devices since at least 2016 apparently even more dangerous than originally reported.

The VPNFilter malware that was discovered infecting hundreds of thousands of routers and Network Attached Storage devices since at least 2016 apparently even more dangerous than originally reported.

A new blog post today from Cisco Systems'  Talos threat intelligence unit reports that researchers have identified even more device makes and models as targets, and have uncovered additional third-stage modules, one of which is capable of compromising not just the networking devices, but also the endpoints connected to them.

The reports adds equipment from ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE to VPNFilter's roster of targets, plus more devices from previously named targets Linksys, MikroTik, Netgear, and TP-Link.

Talos identified the two newly uncovered stage-three modules as ssler (pronounced "esler") and dstr.

The ssler module is capable of exfiltrating data, as well as injecting malicious JavaScript into web traffic intercepted from network devices. The latter function creates a man-in-the-middle (MITM) scenario that allows attackers to potentially deliver exploits to endpoints connected to the network.

"This does not mean it will be successful at the exploitation attempt," said Mounir Hahad, head of Juniper Threat Labs, in emailed comments, but it does mean "the exploit is attempted without a user having to visit a compromised site, click on a malicious link or open a malicious email attachment."

Specifically, the malware hijacks traffic destined for port 80 and redirects it to its own listening service on port 8888, by executing several malicious commands within the kernel -- a technique it performs every four minutes to establish persistence. The content of this traffic can then be stolen or modified before it is sent to the legitimate HTTP service.

Moreover, any requests to move traffic through the more secure HTTPS protocol is "sslstripped," meaning the module changes HTTPS requests to less secure, unencrypted HTTP requests, thus allowing the attackers to view the transmitted content in plain text and harvest any credentials or other sensitive data.

"With this new finding, we can confirm that the threat goes beyond what the actor could do on the network device itself, and extends the threat into the networks that a compromised network device supports," Talos warns. "If successful, the actor would be able to deploy any desired additional capability into the environment to support their goals, including rootkits, exfiltration capability and destructive malware," the blog post later concludes.

The malware performs its MITM attack based on certain variables or parameters, including Source IP (the endpoint IP making the http request), Destination IP, and Visited Sites. A separate blog post issued by Juniper Networks today notes that the including of Source IP "means the threat actor has potentially profiled endpoints behind the firewall and knows which endpoint to target with the exploits," while the use of Visited Sites and Destination IP and Visited sites lets the adversary target domain names of interest, or spy on communications with banks and cloud email platforms and other service providers.

A spokesperson for Symantec, which updated its VPNFilter Q&A page based on Talos' latest report, told SC Media via email that "by default, the malware searches for certain strings, such as passwords," but it can also "send a file to look for all info related to a specific banking website, copy all unencrypted traffic, and send to a host server to be used at a later point."

The other recently exposed stage-three module, dstr, adds a "kill" function, capable of bricking devices, to any stage-two VPNFilter module that didn't already come with this power. (Only some versions of the stage-two module, which typically performs file collection, command execution, data exfiltration and device management, can render devices unusable, by overwriting a portion of the firmware and forcing a reboot.)

Talos said that dstr bricks devices by "deleting files necessary for normal operation," while also "deleting all files and folders related to its own operation... possibly in an attempt to hide its presence during a forensic analysis."

Previously known stage-three modules included a packet sniffer, named "ps," and a communications plugin that lets the malware to communicate via Tor.

“It is obvious that the scope of this campaign is far bigger than initially thought," said Hahad. "The ability to infect endpoints introduces a new variable, and the clean-up process is more involved than just rebooting routers. Any exploit could have been used by the threat actors to target the computers behind infected routers."

"VPNFilter is still in full force, in the wild infecting a broader set of devices than known previously, which makes it quite concerning still," said Derek Manky, global security strategist at Fortinet's FortiGuard Labs division. "This is a good example of how even exposed campaigns can continue to move with velocity... This is showing a new level of sophistication when it comes to attacks, stealthier in nature as it uses hooks to piggyback on legitimate traffic streams."

Last month, the Department of Justice announced that the FBI seized a domain associated with the VPNFilter botnet, which the agency said is controlled by the Russian APT group Fancy Bear, aka Sofacy. (The campaign's focus on infecting Ukrainian hosts leads experts to believe Ukraine may be VPN'Filter's primary target.)

The DOJ advised owners of all small/home office routers and NAS devices to reboot their IoT products. Although rebooting will temporarily eliminate any second-stage modules, the persistent first-stage module will call out for instructions and try to reinfect the device. Nevertheless, "these efforts maximize opportunities to identify and remediate the infection worldwide in the time available before Sofacy actors learn of the vulnerability in their command-and-control infrastructure," the DOJ explained in a 23 May press release.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews